I understand that CyberArk automatically rotates account passwords without requiring the current password, as would be the case in a manual change.
However, a recent update to the PAM module files has caused an issue. When the rotation process runs, it seems unable to change the password because it still prompts for the current password.
I have identified that the line responsible for requesting the current password is:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
If I comment out this line, along with the line:
password required pam_deny.so
I can change account passwords without needing the current password.
However, I cannot remove these lines for security reasons. Has anyone encountered this situation and can provide guidance, please? I’m using RHEL8